Sunday, May 16, 2010

WSSE Authentication in TypePad Atom Publishing API

Yes, has their very own Atom Publishing API. You can find it here. Be warned though that if you use it, always bear in mind that it's in "alpha" state and will change with or without notice.

To explain briefly, the API doesn't use a regular give-me-your-password-and-username protocol for authentication. Instead, it's using ATOM chosen's authentication, WSSE Username Token (PDF), since it's based on that. Now, let's proceed and discuss below how it works and how to implement it.

As shown in the text here, WSSE authentication is sent as part of the header request and is represented by "X-WSSE" (similar to headers like Content-Type, Content-Encoding etc). Examine the sample header request below.

X-WSSE: UsernameToken  Username="",

Username is the email address that you used for Typepad registration. The API doc will say Typepad username but in fact there aren't any except your email, so don't be confused.

Created is the ISO-8601 timestamp marking when Nonce was created. Well at least it's supposed to be that even if it's poorly implemented. As a matter of fact, you can really put in anything as its value even if its not a valid date.

Nonce is a unique key produced by your client / application talking to Typepad's Atom API for each request. Usually you can produce this value using session IDs, pseudo-random numbers, sequences etc. The API has nothing to do with its creation. It's your application that does it.

PasswordDigest is base64 encoded value of the sha1 raw digest of the concatenated values of your Nonce, Created and Typepad Password. Make sure that your sha1 digest is the 20-digit binary digest and not the 40-digit hexadecimal equivalent or you might encounter problems. Some programming languages implement both (i.e. PHP). See example PHP snippet on how it's calculated below.

$nonce = session_id();
$created = date("c");
$pass_digest = base64_encode(sha1($nonce . $created . $pass, TRUE));

Now that you have all the values required, build up the X-WSSE header string and add it to the request header for your API transactions. If you've understood and followed how it's done above, you should be able to authenticate properly and use the service / API easily without encountering any problems.
  • Related Links Widget for Blogspot

No comments: